CyberNews: 28/12/2025 Edition

Today’s roundup

Summary

A critical serialization injection vulnerability, CVE-2025-68664 with a CVSS score of 9.3, has been identified in LangChain Core (langchain-core), a foundational Python package for building LLM-based applications. Reported by researcher Yarden Porat on December 4, 2025, and dubbed "LangGrinch," the flaw resides in the dumps() and dumpd() functions. These functions fail to properly escape user-controlled dictionaries containing 'lc' keys, which are internally used to mark serialized objects. When deserialized, such user-controlled data is mistakenly treated as legitimate LangChain objects. This enables attackers to inject malicious object structures, potentially leading to the leakage of sensitive environment variables, instantiation of classes within trusted LangChain namespaces, and even remote code execution via Jinja2 templates through prompt injection. Given LangChain's widespread deployment, users are urged to update to patched versions 1.2.5 or 0.3.81 immediately.

Ubisoft's popular tactical shooter, Rainbow Six Siege (R6), recently experienced a significant breach where threat actors exploited internal systems. The attackers gained unauthorized access, allowing them to ban and unban players, manipulate in-game moderation feeds, and illicitly grant billions of in-game credits and cosmetic items to accounts globally. The incident highlights the critical impact of internal system compromises, even within gaming environments, on player experience and game economy.

Want to dig deeper?

Vulnerabilities